MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ce4d6e8ba3ba2d916a91b04d863bc33727ab419f3f8013b3cb610bd49a5b104. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ce4d6e8ba3ba2d916a91b04d863bc33727ab419f3f8013b3cb610bd49a5b104
SHA3-384 hash: 6b77a17364840a4d486754600ed4babbabf0735cc54c45d6f8ab516394330d116912cb607e38be06d698d5b6e0138628
SHA1 hash: 96dce6df15dbafa0f45b4d63c44aa2eb2a4a5c9a
MD5 hash: 6fbe7f72bad2def906f6fea64565588a
humanhash: connecticut-mountain-mountain-low
File name:Payment Details.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:770'560 bytes
First seen:2022-11-02 12:26:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:qsAgHtDg5xE1l2/NhqNRa9xDbP1Nh66YsQkyZuWI:R4B2ixDbNR4ZBI
Threatray 10'313 similar samples on MalwareBazaar
TLSH T1BEF4389EABD7D11AE03E5F700BD4769BFAA9F11B25037B696140C2772212DC0BAD0F25
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon ccccccb2b28ecccc (6 x SnakeKeylogger, 2 x AgentTesla)
Reporter GovCERT_CH
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Details.exe
Verdict:
Malicious activity
Analysis date:
2022-11-02 12:27:29 UTC
Tags:
evasion trojan snake
Link:
https://app.any.run/tasks/58dce070-bba4-4fcc-9fa0-33ba2382a2c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/327150/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Creating a file
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63626217a5db8d309cbc5ca1/reports/2a3b3c5c-76a0-4e37-b1ba-88d49dbf483b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a5703d4a-be5c-435c-a89b-2c3cf4bc111a
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1103253
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
.NET source code references suspicious native API functions
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 735916 Sample: Payment Details.exe Startdate: 02/11/2022 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Sigma detected: Scheduled temp file as task from temp location 2->43 45 12 other signatures 2->45 7 yWKCXqUaVx.exe 5 2->7         started        10 Payment Details.exe 6 2->10         started        process3 file4 47 Multi AV Scanner detection for dropped file 7->47 49 Machine Learning detection for dropped file 7->49 13 MSBuild.exe 2 7->13         started        17 schtasks.exe 1 7->17         started        27 C:\Users\user\AppData\...\yWKCXqUaVx.exe, PE32 10->27 dropped 29 C:\Users\user\AppData\Local\...\tmpBA87.tmp, XML 10->29 dropped 31 C:\Users\user\...\Payment Details.exe.log, ASCII 10->31 dropped 19 MSBuild.exe 15 2 10->19         started        21 schtasks.exe 1 10->21         started        signatures5 process6 dnsIp7 33 checkip.dyndns.org 13->33 51 Tries to steal Mail credentials (via file / registry access) 13->51 53 Tries to harvest and steal ftp login credentials 13->53 55 Tries to harvest and steal browser information (history, passwords, etc) 13->55 23 conhost.exe 17->23         started        35 checkip.dyndns.com 132.226.8.169, 49695, 49696, 80 UTMEMUS United States 19->35 37 checkip.dyndns.org 19->37 57 May check the online IP address of the machine 19->57 25 conhost.exe 21->25         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ce4d6e8ba3ba2d916a91b04d863bc33727ab419f3f8013b3cb610bd49a5b104/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-02 08:14:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=btsnn2f2hornsfvjdmcnqy54gnzhvnaz6p4acoz4wyil2snfweca._file
Verdict:
malicious
Similar samples:
1d1f8cd03f7d4657ff1e304e5bfa47a7affa34e3d7b093aae1d31f489550dd98
SnakeKeylogger
50da774fda04ec1034035862f80ea8933397e34b66ac58c239c369836e341be0
SnakeKeylogger
6069a9d373b71c1217c3415634dfadeed9cfa0baa4949d640fe515d92b5a8a27
SnakeKeylogger
658cb26b4f26e4ecf21c85c6138ceb52c614ca4092a69c365d324ff0b4b0d7c0
SnakeKeylogger
7319a8d431cd1a967b517cd21b9aa7c0f86b1716e7e2492dd2e831a65406c460
SnakeKeylogger
7c0ccddd1e886d81fbcd8e4c62e6d61ce7e78258825a1f2ef1bc7edca4179cd5
SnakeKeylogger
a7f4f456189098240111b09c4a1564fa8d253bcbdec92f8696826717a88c9b56
SnakeKeylogger
f293c00ae925b1e3160d4104f35de999a31728aa5b636dd945d2ceb1d5045c01
SnakeKeylogger
f5b5997f3b718acf9ad712558e910e0d0c4777d8882207c05510f6c42cb3013d
SnakeKeylogger
+ 10'303 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger stealer
Link:
https://tria.ge/reports/221102-pmrgnabgf6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5484820495:AAGEjy8dT72vJZImmHLmeh3onMuG9LLRD5A/sendMessage?chat_id=5101327412
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3b3e57df-223e-49ea-b83c-20a35ad15c5c
Unpacked files
SH256 hash:
e43d8d7fc9592084354784b05443a1d32ef2ecf822c7317886fdfe09bec33260
MD5 hash:
a1c59d57bb339db4f37c6bd74572eb1a
SHA1 hash:
b6f583f546b7df26c0929a8b4c4806314d5639ab
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/677f374e-8d72-4c97-82a5-337da3768ed6/
Parent samples :
38950a141d412584636b4e97742db5aebe480e9edc467ef5b532e0216879f44a
7241d8e398ed2bc2973ad2f9a905d5bfdce3b02fcaa3b60c0a4ef1fd194f51ef
f913943b5082aed8ba09b537e3d9328a9f6894dc3ab93a1defb3f43a69078eb3
7776ae6f6274f264a686785c2970782847826bdd9c6a3cbcabab0573f449c174
962b66d01dbbe1dd3cd85dcbe030c318d2f685fe5a965133279f5afb3b6adb94
b4fde3291600549dc094b96ea4afd8520afd1cc16bf7196faf2e11c6281b9b8a
514962de0cfcafea5c6a6ff3c7162c8a9ac2a7362f44812c9f74cf92092c0af3
b44211d828b159e40ceac13bcc9f4090aabb146c02d06a0836cba88bc465c88e
2eaf90482aaf8c1c7ee6ac3533c0c8831e8848d280e0e243829bf24c1393dd63
0ce4d6e8ba3ba2d916a91b04d863bc33727ab419f3f8013b3cb610bd49a5b104
6555c5be3926aa465cffc7d5ac89f0bc94ed54155525281141ddc3ec9c6bf33f
6deb2bb7b87e2cb22966a1cd3c54a04948a36474c017c1a6cc622df6b928211c
95f955291eebbed5c72e6956296cba4ac8e169ecab4881a93c9938834a56549a
f2fbf3aacd32bdcd8dc22abc45d879eb863dff437484913e1242bb6f277f1b53
790027b5d9e45f536c779d6527483930da9e3b5891f5a5767363d496a1d528cb
64c749751bffaa96432c647beb4f8ed81a7c811bc6dc0a6763f44455a7c4d5f3
9f5da29a4b91ad8996aa600ac824a5667400dde0076bdff5c5b27652f0df000b
eec2c52990c31a2482d0acf15788db765b705baf2bb149d5cbe013d8c055c51d
b8216cdc194ab1f82820fc2a29ca63af3a1f3e6b80102ab658c1ee33b7dd68da
38b404c76de7b2c70cc770583b5917deefe31be51acf2caafc39b3fd884a9ede
8e603a99770c15419c36fd082b789d2285e7ddfd77da47cf9f9be899c350d913
a93b70eb6d8b21e04163be6ebc444ff76a557040e8d97021ec04a5a002cd5c8a
06cf43a592776ad9e34f1efc2cdbf859599710b25f395d871b5a5e13d88b30d8
24704e7cf611284dbe00a83b66ade87369dfb967016da89e78add0f004e5bcb9
284a1c6b11e8c221f4ab44da36c5b12eb6941d575003de79e918fd1a47a0cd24
2200860726cd8b2d878f4194b29418ca4cf2b2ca056ba21d5fd34ce3362b9c7e
9ae533dd395882eef0df206750f1fff09e5eab9a4397515632d15fd248f72ca4
34b91aa79335759905f9405680460480b9d3a759c32e972192c0e6c41f3d7c36
2b0d30ca1ad2a366fa11c3808abe98aeada07d82b17361cba2e01cf21c9992eb
8afbcd46ec9038c7e7479677a5b440764e3e61a9c99fa8b22c816727a21b17a6
682d2d533c6ebad2e51c0261add6a4b633e0a0b3149cb3396b20271d6b87470b
a9498e6102ca86f0b3500796103e30d7e7f4b955441711450f3228ea06e2b8ac
SH256 hash:
a327516357b9fa1a75753b3fbd0030e13f374be7cefcdf983d0b731f278b0c59
MD5 hash:
404efdeb9931733904da07f96fabeb72
SHA1 hash:
7ce363cd612f1d9a90b33ec196c4d0a49cdaee02
Link:
https://www.unpac.me/results/677f374e-8d72-4c97-82a5-337da3768ed6/
SH256 hash:
3333060b1b712c587db1aca1a7b834d6fa3bf1249631d90eb4da05ee95d7ca01
MD5 hash:
c950c5e0dd14c89199424b7daa6f3753
SHA1 hash:
56b2d8b9eced0fd45647f1e7b8e9bcc5ad28ef61
Link:
https://www.unpac.me/results/677f374e-8d72-4c97-82a5-337da3768ed6/
SH256 hash:
0ce4d6e8ba3ba2d916a91b04d863bc33727ab419f3f8013b3cb610bd49a5b104
MD5 hash:
6fbe7f72bad2def906f6fea64565588a
SHA1 hash:
96dce6df15dbafa0f45b4d63c44aa2eb2a4a5c9a
Link:
https://www.unpac.me/results/677f374e-8d72-4c97-82a5-337da3768ed6/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0ce4d6e8ba3b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ce4d6e8ba3ba2d916a91b04d863bc33727ab419f3f8013b3cb610bd49a5b104

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 0ce4d6e8ba3ba2d916a91b04d863bc33727ab419f3f8013b3cb610bd49a5b104

(this sample)

  
Dropped by
snakekeylogger
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/327150/

Comments